Tune into our first episode of Tool Talk: a how-to series for hackers. REGISTER ›

Untwisting the Mersenne Twister: How I Killed the PRNG

Untwisting the Mersenne Twister: How I killed the PRNG


Random number generation has been insecure for decades and there hasn’t been a practical pen testing tool to tackle this problem – until now, that is.

Enter Untwister

Untwister is a tool designed to help pentesters predict random number sequences when an application generates them using an insecure algorithm. The tool is named for the Mersenne Twister, one of the most widely used random generators.

Researchers have understood this for decades, but the concept has been purely hypothetical.

Random number generation is used for:

And that’s only the tip of the RNG iceberg.

If someone finds the initial seed, he or she can generate all following random numbers. This means someone could possibly do things like cheat online gambling sites, impersonate other users, and access confidential data.

Breaking random number generation has been almost completely theoretical before. Untwister has taken this idea and weaponized it.

Untwister reads the output from insecure random number generators and reveals the initial seed used to create those numbers. It accomplishes this via a few different methods:

Poorly chosen seeds. Application developers often choose seeds from not-so-secret numbers, such as the current server time or the service’s process ID (PID). This makes it easy to enumerate all possible valid seeds and recover the original.

Seed brute-force. Even when seeds are unpredictably chosen, brute-force enumeration is usually feasible. Since most insecure random generators take 32-bit integers as seeds, a strong computer can run through all 4.2 billion seed values.

State inference. Insecure random number generators still leak information about their internal state by way of selected numbers. Once an attacker observes enough of these values, all it takes is some math to reconstruct the generator’s current state. Once cracked, the generator’s state allows us to predict future and past values.

RNG Best Practices

How can developers protect their applications when security is at stake? By taking the time to do it properly. Most frameworks provide default random number generators, which are predictable and unsuitable for a secure context. To keep your random numbers unpredictable, however, use a Cryptographically Secure Pseudo-Random Number Generator (CSPRNG).

The exact available functions will depend on the language and framework, but some examples of CSPRNGs to use are:

  • Reading from /dev/urandom on a Unix-like system
  • The Java SecureRandom class
  • The .NET RNGCryptoServiceProvider class
  • The PHP openssl_random_pseudo_bytes() function

In contrast, some examples of random number generators to avoid are:

  • The libc rand() function
  • The Java Random class
  • The .NET Random class
  • PHP’s rand() and mt_rand() functions

The Untwister was originally presented by Bishop Fox's Joe DeMesy and Dan Petro at Security B-Sides Las Vegas on Aug. 5, 2014.

Want to download the Untwister for your pentesting purposes? Visit the Bishop Fox Github here.

Dan petro

About the author, Dan Petro

Lead Researcher at Bishop Fox

Dan Petro is a Lead Researcher at Bishop Fox and focuses on application penetration testing (static and dynamic), product security reviews, network penetration testing (external and internal), and cryptographic analysis. Dan has presented at several Black Hats and DEF CONs on topics such as hacking smart safes, hijacking Google Chromecasts, and weaponizing AI. He has developed several open-source tools including Untwister, which breaks pseudorandom number generators. Additionally, Dan has been quoted in Wired, The Guardian, Business Insider, and Mashable. Dan holds both a Bachelor of Science and a Master of Science in Computer Science from Arizona State University.
More by Dan

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.